Jun 92021

NHS’ Plans to Share Patient Records with Third Parties

William RM Long, Francesca Blythe and Zina Chatzidimitriadou
, , , ,

NHS Digital (the national custodian for health and care data in England) in May 2021, announced a new data sharing initiative called the General Practice Data for Planning and Research (GPDPR) service. The launch of the GPDPR could result in the historical medical records of up to 55 million patients in England being shared with third parties.

Although the GP data collection was set to take place as of  July 1, 2021, on June 8, 2021 it was announced that the launch will be postponed to September 1, 2021.

This is not an entirely new initiative as NHS Digital has been collecting patient data from general practices (GPs) for over 10 years and since 2013 patients have had the option of either Type 1 Opt-outs (prevent further use of confidential data held in one’s GP medical record) or Type 2 opt-outs, (use of information held by NHS Digital for research and planning purposes), now known as the “National Opt-out”. The GPDPR service will, according to NHS Digital, be “more efficient and effective”. According to a statement made by NHS Digital, the need for the GPDPR was prompted by the Covid-19 pandemic. Since 2020 and for the duration of the coronavirus emergency period, NHS Digital has been collecting and analysing patient information obtained from their GP records under the “COVID-19 Public Health Directions 2020” (COVID-19 Direction).

What data will be collected: NHS Digital will collect the majority of structured data in a patient’s medical records (including e.g., health data, ethnicity, sexual orientation). However, no names or addresses will be collected and all other data that could directly identify a patient (e.g., NHS Number, date of birth) will be pseudonymised (i.e., replaced with a unique code). NHS Digital will however, be able to re-identify patients in certain circumstances with a valid legal reason.

What will the data be used for: According to the GPDPR Transparency Notice (Notice) the data collected will be used, for example, to “monitor the long-term safety and effectiveness of care, plan how to deliver better health and care services, prevent the spread of infectious diseases, and identify new treatments and medicines through health research”. Once collected, the data will be combined to create a single, national data lake. The Notice further states that the data will never be shared with marketing or insurance companies.

Who will the data be shared with: According to the Notice, data collected may be shared with a number of third parties including, for example, “research organisations, including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies”. The absence of a reference to “medical technology developers/ companies” is notable, as this would capture all the major and emerging players in digital health, such as software developers and “tech giants”. In fact the only way such companies could access this data is for research purposes through agreements with NHS hospitals and trusts, as has been the case so far. Any organisations accessing this data must enter into a data sharing agreement with NHS Digital.

Legal basis for collecting and sharing the data: Under the Health and Social Care Act 2012, NHS Digital, as “the Information Centre” a joint controller with the Secretary of State for Health and Social Care, has the mandate to collect and analyse data from GP practices. It (as will primarily rely on its obligation under the Health and Social Care Act 2012 and the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013 to collect the data from GPs and share this with third parties. Although, data shared with e.g., a pharmaceutical company for research purposes would be made in reliance on NHS Digital’s legitimate interests. It should be noted that where processing is carried out in reliance on a company’s legal obligations, certain of the rights under the UK GDPR (e.g., the right to object and/or erase personal data) do not apply.

How is the data safeguarded: According to NHS Digital “the new service has been designed to the highest standards” and it has carried out a Data Protection Impact Assessment which will be published shortly. Patients who do not opt out in time will have their historical records shared, although the can restrict future data by opting out at any time. A National Data Opt-out option will also be available, but will not preclude NHS Digital from sharing the data with third parties when there is a legal basis for or public interest in processing personal data, such as for managing contagious diseases.

The Delay: Following the announcement of the GPDPR by the NHS, serious concerns were raised in particular, around the lawfulness of the service i.e., in the absence of patients’ explicit consent, and the absence of adequate information alerting the public to the prospective sharing and providing them with sufficient time to opt-out.

Addressing these concerns will be key to more patients sharing their data and creating an invaluable lake that, with the right controls, can give rise to innovation for the benefit of patients and the healthcare system as a whole. One such example has been the NHS data sharing practice with DeepMind, which published these contracts and maintained a transparent and ethical approach to this data, result in the development of novel digital health tools and biomarkers.

In turn, it is hoped that the additional two months provided will enable discussions with patients and the public, to make sure they can make an informed decision about how their data will be used. A spokesperson for the UK’s Information Commissioner’s Office (ICO) has in turn, confirmed that whilst the ICO has “already engaged with NHS Digital regarding their data protection obligations, [the ICO] continue to work with them and others about next steps”.

Sharing data between the NHS and private companies for research purposes is not a new practice. The NHS holds powerful sets of data, that if properly used and analysed can result in innovation, leveraging the power of big data and new analytic tools. This move could drive cross-functional public-private partnerships to better harvest digital data and accelerate the development of diagnostic and therapeutic tools and deliver better efficiencies to the healthcare system. The COVID pandemic has been an excellent opportunity for regulators, health technology appraisal (HTA) bodies and other stakeholders to re-evaluate the use of such technologies to generate and analyse  real world data (RWD) and, with this move and the right protections, the UK could continue claiming its role as one of the natural homes of innovation.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Zina Chatzidimitriadou

London

zchatzidimitriadou@sidley.com

You might also like
Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.